Categories

Saturday, December 19, 2015

How to deal with Spoofed Emails

Spoofed emails are increasing in Messaging World , This is causing lot of frauds by impersonating as some one else. We as Messaging Admins can take certain steps to avoid these kind of cheating/ Frauds. These are not simple to handle if organization that you work for, is in business from very long time as there can be genuine spoofs are also there.

Let's Start with, What is a Spoof Email ?

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Distributors of spam often use spoofing in an attempt to get recipients to open, and possibly even respond to, their solicitations.Spoofing can be used legitimately which I mentioned in the last email.

Examples of Genuine Spoofing are the applications that are sitting outside your network but use your domain in sender addresses.

We want to block the fraudulent Spoofing & to allow the genuine one, There are three standards available to help you with these challengesbut problem is, till now these are not used by many email domains.

SPF, DKIM & DMARC

SPF: An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

DKIM: DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS. In technical terms, DKIM is a technique to authorize the domain name which is associated with a message through cryptographic authentication.

DMARC: A DMARC record provides "sentencing guidelines" to other email servers: it advises a mail server how to handle email that fails SPF and DKIM validation tests. DMARC considers a message "valid" if it passes ONE of these tests.

If there are applications outside your network which impersonates as your domain than best would be follow below chart & take a approach to first [External] Tag the emails that are coming as impersonated & their IP's are not in WhiteList -- This kind of rule can be created at Email Gateway.

You can go one step further & Quarantine the emails that impersonates VIP users in your organization & along with it use [External] Tag on rest of the spoofed (excluding whitelist IP's).

TAG needs to be communicated to your user population, so that they understand what TAG means & they should be cautious when email comes from known internal sender but [External] Tag is present.

Ones this is done , In second Phase you can work on analysis & update the missing Whitelist IPs --> When this is completed , change the rule to Quarantine instead of TAG.

You still should implement DKIM,SPF & DMARC records for your domain as in future these will be widespread.